Created attachment 1283 [details] Suggested patch A Match conditional with a Group keyword does not support negation of groups (i.e. don't apply if the person is a member of the named group). The following patch adds this functionality. A small change to wording on line 534 of servconf.c is also in order, but I haven't added that. I also did not check to see if this causes any major headaches with AllowGroups or DenyGroups, which also use the modified function (ga_match), but I don't believe it should. The one assumption which should be spelled out is that if you get a negation match, that is a breaker which causes further matching to stop.
Target 5.1. ga_match is used by more than just the "Match Group" so we will need to check carefully that this doesn't have side effects.
Yeah, the interactions between AllowGroups and DenyGroups (the two other places where ga_match is used) are weird enough without having negation thrown in the mix. Perhaps either add a flag to ga_match() to specify whether negation is allowed and only set it for the Match case, or create a separate ga_match_list() for the Match case.
Created attachment 1538 [details] separate ga_match_pattern_list() function like this
patch applied - this will be in openssh-5.1. Thanks!
Mass update RESOLVED->CLOSED after release of openssh-5.1